Following figure shows the overall security infrastructure for Oracle Business intelligence, with end users connecting to applications that are hosted in the Oracle WebLogic Server JEE environment, which in turn connect to the Oracle BI Presentation Server and Oracle BI Server. The Oracle BI Server then authenticates users through the Security Service hosted in the WebLogic Server, which uses a feature called Oracle Platform Security Services to connect to embedded and external authenticators and directory services.
Oracle Business Intelligence security infrastructure
When end users navigate to the Oracle Business Intelligence web site and enter in their username and password in order to view a dashboard at a high level, this is the process that takes place:
1. Users enter their usernames and passwords into the analytics application (http://obisrv1:9704/analytics) that runs on WebLogic and is displayed in their browser.
2. The User ID and password are then sent to Oracle BI Presentation Services.
3. Oracle BI Presentation Services uses these credentials as part of the ODBC connection string that it uses to connect to the Oracle BI Server.
4. The Oracle BI Server calls the Security Service (bimiddleware) to authenticate these user credentials.
5. The Security Service calls Oracle Platform Security Services (OPSS), to authenticate users against the embedded LDAP server or whatever external directory has been connected to OPSS, and to establish which LDAP groups, application roles, and application policies have been granted to the users.
6. Finally, the Security Service passes this information back to the Oracle BI Server, and the BI session is considered authenticated.
OPSS, thus, is central to the entire authentication, authorization, and security process. Let’s explore which services OPSS provides and how it facilitates the connection between Oracle Business Intelligence security infrastructure and your organization’s security arrangements.
Oracle Platform Security Services
Because organizations typically have diverse security requirements, Oracle Fusion Middleware, on which Oracle Business Intelligence is built, uses a security abstraction layer called Oracle Platform Security Services (OPSS) to connect to companies’ various authenticators and other security frameworks. Instead of having Fusion Middleware, and therefore Oracle Business Intelligence, connect directly to directory servers such as Microsoft Active Directory, it connects via OPSS, which has a standard interface over this directory through a “provider.”
Following figure shows an overview of OPSS and how it uses providers to extend connectivity to these services.
At a high level, OPSS provides three abstracted services for OBIEE and for other Fusion Middleware–based applications:
Identity store By default this is set to use an embedded WebLogic Server LDAP server, but it can be configured to connect to Microsoft Active Directory, for example. Policy store This contains details of application roles, application policies, and the permissions they use, which by default are stored in a file called system-jazn-data.xml but can be redirected to an LDAP or file-based policy store. Credential store This replaces the external one that OBIEE 10g used, which contains the usernames, passwords, and other credentials that system services require.
No comments:
Post a Comment